units: restrict hugepages fs a bit

suid binaries and device nodes should not be placed there, hence forbid it. Of all the API VFS we mount from PID 1 or via a unit file this one is the only one where we didn't add MS_NODEV/MS_NOSUID. Let's address that, since there's really no reason why device nodes or suid binaries would be placed in hugetlbfs.
2025-05-28 13:05:47 +03:00 · 2023-04-26 16:55:42 +02:00 · 2023-04-26 16:55:42 +02:00 · e76b3d4ed2
commit e76b3d4ed2
parent a02287eab3
1 changed files with 1 additions and 0 deletions
--- a/units/dev-hugepages.mount
+++ b/units/dev-hugepages.mount
@ -21,3 +21,4 @@ ConditionVirtualization=!private-users
 What=hugetlbfs
 Where=/dev/hugepages
 Type=hugetlbfs
+Options=nosuid,nodev